macro.template

sharewall is very good

#
# Shorewall version 4 - Macro Template
#
# /usr/share/shorewall/macro.template
#
# Macro files are similar to action files with the following exceptions:
#
#	- A macro file is not processed unless the marcro that it defines is
#	  referenced in the /etc/shorewall/rules file or in an action
#	  definition file.
#
#	- Macros are translated directly into one or more rules whereas
#	  actions become their own chain.
#
#	- All entries in a macro undergo substitution when the macro is
#	  invoked in the rules file.
#
#	- Macros used in action bodies may not invoke other macros.
#
# The columns in the file are the same as those in the action.template file but
# have different restrictions:
#
# Columns are:
#
#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
#			LOG, QUEUE, PARAM or an <action> name.
#
#				ACCEPT	 -- allow the connection request
#				ACCEPT+	 -- like ACCEPT but also excludes the
#					    connection from any subsequent
#					    DNAT[-] or REDIRECT[-] rules
#				NONAT	 -- Excludes the connection from any
#					    subsequent DNAT[-] or REDIRECT[-]
#					    rules but doesn't generate a rule
#					    to accept the traffic.
#				DROP	 -- ignore the request
#				REJECT	 -- disallow the request and return an
#					    icmp-unreachable or an RST packet.
#				DNAT	 -- Forward the request to another
#					    system (and optionally another
#					    port).
#				DNAT-	 -- Advanced users only.
#					    Like DNAT but only generates the
#					    DNAT iptables rule and not
#					    the companion ACCEPT rule.
#				SAME	 -- Similar to DNAT except that the
#					    port may not be remapped and when
#					    multiple server addresses are
#					    listed, all requests from a given
#					    remote system go to the same
#					    server.
#				SAME-	 -- Advanced users only.
#					    Like SAME but only generates the
#					    NAT iptables rule and not
#					    the companion ACCEPT rule.
#				REDIRECT -- Redirect the request to a local
#					    port on the firewall.
#				REDIRECT-
#					 -- Advanced users only.
#					    Like REDIRET but only generates the
#					    REDIRECT iptables rule and not
#					    the companion ACCEPT rule.
#
#				CONTINUE -- (For experts only). Do not process
#					    any of the following rules for this
#					    (source zone,destination zone). If
#					    The source and/or destination IP
#					    address falls into a zone defined
#					    later in /etc/shorewall/zones, this
#					    connection request will be passed
#					    to the rules defined for that
#					    (those) zone(s).
#				LOG	 -- Simply log the packet and continue.
#				QUEUE	 -- Queue the packet to a user-space
#					    application such as ftwall
#					    (http://p2pwall.sf.net).
#				PARAM	 -- If you code PARAM as the action in
#					    a macro then when you invoke the
#					    macro, you can include the name of
#					    the macro followed by a slash ("/")
#					    and an ACTION (either builtin or
#					    user-defined. All instances of
#					    PARAM in the body of the macro will
#					    be replaced with the ACTION.
#				<action> -- The name of an action defined in
#					    /usr/share/shorewall/actions.std or
#					    in /etc/shorewall/actions.
#
#			The ACTION may optionally be followed
#			by ":" and a syslog log level (e.g, REJECT:info or
#			DNAT:debug). This causes the packet to be
#			logged at the specified level.
#
#			You may also specify ULOG (must be in upper case) as a
#			log level.This will log to the ULOG target for routing
#			to a separate log through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).
#
#			Actions specifying logging may be followed by a
#			log tag (a string of alphanumeric characters)
#			are appended to the string generated by the
#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
#			Example: ACCEPT:info:ftp would include 'ftp '
#			at the end of the log prefix generated by the
#			LOGPREFIX setting.
#
#	SOURCE		Source hosts to which the rule applies. May be a zone
#			defined in /etc/shorewall/zones, $FW to indicate the
#			firewall itself, "all", "all+" or "none" If the ACTION
#			is DNAT	or REDIRECT, sub-zones of the specified zone
#			may be excluded from the rule by following the zone
#			name with "!' and a comma-separated list of sub-zone
#			names.
#
#			When "none" is used either in the SOURCE or DEST
#			column, the rule is ignored.
#
#			When "all" is used either in the SOURCE or DEST column
#			intra-zone traffic is not affected. When "all+" is
#			used, intra-zone traffic is affected.
#
#			Except when "all[+]" is specified, clients may be
#			further restricted to a list of subnets and/or hosts by
#			appending ":" and a comma-separated list of subnets
#			and/or hosts. Hosts may be specified by IP or MAC
#			address; mac addresses must begin with "~" and must use
#			"-" as a separator.
#
#			Hosts may be specified as an IP address range using the
#			syntax <low address>-<high address>. This requires that
#			your kernel and iptables contain iprange match support.
#			If you kernel and iptables have ipset match support
#			then you may give the name of an ipset prefaced by "+".
#			The ipset name may be optionally followed by a number
#			from 1 to 6 enclosed in square brackets ([]) to
#			indicate the number of levels of source bindings to be
#			matched.
#
#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
#
#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
#						Internet
#
#			loc:192.168.1.1,192.168.1.2
#						Hosts 192.168.1.1 and
#						192.168.1.2 in the local zone.
#			loc:~00-A0-C9-15-39-78	Host in the local zone with
#						MAC address 00:A0:C9:15:39:78.
#
#			net:192.0.2.11-192.0.2.17
#						Hosts 192.0.2.11-192.0.2.17 in
#						the net zone.
#
#			Alternatively, clients may be specified by interface
#			by appending ":" to the zone name followed by the
#			interface name. For example, loc:eth1 specifies a
#			client that communicates with the firewall system
#			through eth1. This may be optionally followed by
#			another colon (":") and an IP/MAC/subnet address
#			as described above (e.g., loc:eth1:192.168.1.5).
#
#	DEST		Location of Server. May be a zone defined in
#			/etc/shorewall/zones, $FW to indicate the firewall
#			itself, "all". "all+" or "none".
#
#			When "none" is used either in the SOURCE or DEST
#			column, the rule is ignored.
#
#			When "all" is used either in the SOURCE or DEST column
#			intra-zone traffic is not affected. When "all+" is
#			used, intra-zone traffic is affected.
#
#			Except when "all[+]" is specified, the server may be
#			further restricted to a particular subnet, host or
#			interface by appending ":" and the subnet, host or
#			interface. See above.
#
#				Restrictions:
#
#				1. MAC addresses are not allowed.
#				2. In DNAT rules, only IP addresses are
#				   allowed; no FQDNs or subnet addresses
#				   are permitted.
#				3. You may not specify both an interface and
#				   an address.
#
#			Like in the SOURCE column, you may specify a range of
#			up to 256 IP addresses using the syntax
#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
#			the connections will be assigned to addresses in the
#			range in a round-robin fashion.
#
#			If you kernel and iptables have ipset match support
#			then you may give the name of an ipset prefaced by "+".
#			The ipset name may be optionally followed by a number
#			from 1 to 6 enclosed in square brackets ([]) to
#			indicate the number of levels of destination bindings
#			to be matched. Only one of the SOURCE and DEST columns
#			may specify an ipset name.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port. A destination port may only be
#			included if the ACTION is DNAT or REDIRECT.
#
#			Example: loc:192.168.1.3:3128 specifies a local
#			server at IP address 192.168.1.3 and listening on port
#			3128. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#			if the ACTION is REDIRECT, this column needs only to
#			contain the port number on the firewall that the
#			request should be redirected to.
#
#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
#			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
#                       "ipp2p*" requires ipp2p match support in your kernel
#                       and iptables.
#
#			"tcp:syn" implies "tcp" plus the SYN flag must be
#			set and the RST,ACK and FIN flags must be reset.
#
#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
#			names (from /etc/services), port numbers or port
#			ranges; if the protocol is "icmp", this column is
#			interpreted as the destination icmp-type(s).
#
#			If the protocol is ipp2p*, this column is interpreted
#			as an ipp2p option without the leading "--" (example
#			"bit" for bit-torrent). If no port is given, "ipp2p" is
#			assumed.
#
#			A port range is expressed as <low port>:<high port>.
#
#			This column is ignored if PROTOCOL = all but must be
#			entered if any of the following ields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the CLIENT PORT(S) list below:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable. Specified as a comma-
#			separated list of port names, port numbers or port
#			ranges.
#
#			If you don't want to restrict client ports but need to
#			specify an ORIGINAL DEST in the next column, then
#			place "-" in this column.
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the DEST PORT(S) list above:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#       ORIGINAL        Original destination IP address. Must be omitted (
#       DEST            or '-') if the macro is to be used from within
#                       an action. See 'man shorewall-rules'.
#
#	RATE LIMIT	You may rate-limit the rule by placing a value in
#			this colume:
#
#				<rate>/<interval>[:<burst>]
#
#			where <rate> is the number of connections per
#			<interval> ("sec" or "min") and <burst> is the
#			largest burst permitted. If no <burst> is given,
#			a value of 5 is assumed. There may be no
#			no whitespace embedded in the specification.
#
#				Example: 10/sec:20
#
#	USER/GROUP	This column may only be non-empty if the SOURCE is
#			the firewall itself.
#
#			The column may contain:
#
#	[!][<user name or number>][:<group name or number>][+<program name>]
#
#			When this column is non-empty, the rule applies only
#			if the program generating the output is running under
#			the effective <user> and/or <group> specified (or is
#			NOT running under that id if "!" is given).
#
#			Examples:
#
#				joe	#program must be run by joe
#				:kids	#program must be run by a member of
#					#the 'kids' group
#				!:kids	#program must not be run by a member
#					#of the 'kids' group
#				+upnpd	#program named upnpd (This feature was
#					#removed from Netfilter in kernel
#					#version 2.6.14).
#
# A few examples should help show how Macros work.
#
# /etc/shorewall/macro.FwdFTP:
#
#	#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL RATE	USER/
#	#				PORT(S)	PORT(S)	DEST	 LIMIT	GROUP
#	DNAT	-	-	tcp	21
#
# /etc/shorewall/rules:
#
#	#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL RATE	USER/
#	#				PORT(S)	PORT(S)	DEST	 LIMIT	GROUP
#	FwdFTP	net	loc:192.168.1.5
#
# The result is equivalent to:
#
#	#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL RATE	USER/
#	#				PORT(S)	PORT(S)	DEST	 LIMIT	GROUP
#	DNAT	net	loc:192.168.1.5	tcp	21
#
# The substitution rules are as follows:
#
#	ACTION column		If in the invocation of the macro, the macro
#				name is followed by slash ("/") and a second
#				name, the second name is substituted for each
#				entry in the macro whose ACTION is PARAM
#
#				For example, if macro FOO is invoked as
#				FOO/ACCEPT then when expanding macro.FOO,
#				Shorewall will substitute ACCEPT in each
#				entry in macro.FOO whose ACTION column
#				contains PARAM. PARAM may be optionally
#				followed by a colon and a log level.
#
#				You may also follow the
#
#				Any logging specified when the macro is
#				invoked is applied to each entry in the macros.
#
#	SOURCE and DEST		If the column in the macro is empty then the
#	columns			value in the rules file is used. If the column
#				in the macro is non-empty then any value in
#				the rules file is appended with a ":"
#				separator.
#
#	Example:		###############################################
#				#ACTION	 SOURCE	DEST		PROTO	DEST
#				#					PORT(S)
#		macro.FTP File	PARAM	 net	loc		tcp	21
#		rules File	FTP/DNAT -	192.168.1.5
#		Result		DNAT	 net	loc:192.168.1.5	tcp	21
#
#	Remaining		Any value in the rules file REPLACES the value
#	columns			given in the macro file.
#
#######################################################################################################
#                                         DO NOT REMOVE THE FOLLOWING LINE
FORMAT 2
#######################################################################################################
#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE